Is this expected behavior?

Prior to enabling “Private Instance” and disabling “Federation enabled” settings, user profiles were also publicly accessible at https://<instance-url>/u/kryoseu.

Making the instance private and disabling federation made profiles inaccessible without authentication. However images are still exposed.